SANS ISC InfoSec Forums

For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS[1]) by default in its Firefox browser. Since this announcement, Google also scheduled a move to this technology with the upcoming Chrome releases (this has been covered in today’s podcast episode). My goal is not here to start a new debate. DoH has definitively good points regarding privacy but the problem is always the way it is implemented. In corporate environments, security teams will for sure try to avoid the use of DoH for logging reasons (DNS logs are a gold mine in incident management and forensics).

Amongst the classic reconfiguration of the browser, Firefox implemented a technique to detect if DoH can or can't be used: by querying a specific domain: “use-application-dns.net”. Firefox will generate ‘A’ and ‘AAAA’ requests to this domain (using the DNS servers provided by the OS) and if ’NXDOMAIN’ is returned, it won’t use DoH.

This morning, a DNS request to resolve this domain returned the following data on my network:

Now, let’s see how to configure a Bind resolver (which is a well-know DNS server) to return ’NXDOMAIN’ when this domain is attempted to be resolved. The idea is to use RPZ (Response Policy Zones)[2]. I already covered this technique in a previous diary[3]. Here is a simple config for Bind:

Step 1, create a small zone file that will contain the domain we don’t want to resolve:

This will only "prevent" the automatic detection of the ability to use the feature, not prevent the use of the feature, correct? I have my Firefox *manually* configured with the instructions for Quad9 https://www.quad9.net/doh-quad9-dns-servers/ with the about:config setting "network.trr.bootstrapAddress" set to the necessary IP "9.9.9.9". I presume doing this will completely bypass any attempt at using DNS to attempt to determine what works, and thus will bypass your attempt at blocking it.

The initial issue, ofcourse, is from a security logging standpoint. All of a sudden your browser DNS queries are not going through the filtering and logging which is a gold mind of information. That can be resolved by setting up a DoH proxy to your existing DNS infrastructure and pointing the browsers at it. If supporting a larger network, this is adding more policy work. Two questions, does Chrome have a similar mechanism as you describe for Firefox. And I wonder what the best practice/standards are/will be for discovery on the network. Perhaps using a standard SRV records that one can define in the zone(s) servicing the network that DoH enabled services might initially query to find any internal DoH servers, or will it try the system defined DNS server by default attempting to use port 443? If those two would make implementation and management easier.